Leak of 23,000 Private Keys Triggers Security ScrambleDigital Certificate Revocation Blame Game: Trustico Swaps Blows With DigiCert
(Editor's Note: See update on Trustico.)
Digital certificate reseller Trustico is sparring with certificate authority DigiCert, which recently took over Symantec's digital certificate business, over a serious security incident.
In dueling press releases, both companies accuse the other of unorthodox procedures regarding 23,000 digital certificates issued by Trustico. The private keys of those certificates have been leaked.
Digital security certificates create an encrypted connection using public key cryptography, typically indicated by "https" and a padlock appearing in the URL window of a browser. Browsing traffic can be intercepted, but if the data traffic is encrypted, it can't be read.
Trustico isn't saying how the 23,000 certificates may have been compromised. But the implication for websites using the certificates is clear: If the private key for the digital certificates has been exposed, it means an attacker could perform a man-in-the-middle attack and read the traffic.
DigiCert is in the process of revoking the certificates and has terminated its relationship with Trustico. For Trustico, the situation doesn't look good, contends Troy Hunt, an Australian security expert.
"To be honest, a large part of the problem here is that Trustico is not providing the industry ... with enough information to establish what did actually happen," Hunt says.
Emailed Private Keys
To get into the conflict requires a bit of history, and as with anything involving digital certificate vendors, it's a tortured one.
Google alleged Symantec didn't properly control its digital certificate-issuing infrastructure, issuing tens of thousands of improper certificates, including ones for Google domains. As a result, Google has a phased plan underway for its Chrome browser to distrust nearly all Symantec-issued certificates by October (see Don't Delay: Replace Symantec TLS/SSL Certs Now).
In early February, Trustico sent notice to DigiCert to revoke all of the security certificates it had ever issued, which numbers around 50,000. But the email went to the wrong address. Eventually, though, DigiCert was alerted.
Trustico needed DigiCert's cooperation because the company now holds Symantec's root certificates, which are needed for revocation. The certificates in question were issued under various brands that came from Symantec's acquisitions over the years, including Thawte, GeoTrust and RapidSSL.
DigiCert alleges in a press release that it asked Trustico for proof that the certificates were compromised, which it did not provide. DigiCert, under the assumption that the certificates were already compromised, asked Trustico to email the private keys, which it did. Trustico then emailed in plaintext format the private keys for 23,000 certificates - arguably the fastest but not the safest way to get the revocation process going.
By virtue of its having emailed the private keys in an unprotected form, DigiCert said it was left with no option but to treat the certificates as having been compromised. DigiCert then notified the holders of those certificates, which is required under the CA/Browser Forum Baseline Requirements.
The emailing of the private keys was unorthodox, but it didn't matter: Around 20,000 of the keys have so far been confirmed compromised via Certificate Transparency logs. The keys are in use, which makes this a serious security issue.
But after DigiCert notified holders of the affected certificates, Trustico accused DigiCert of hijacking the notification process. Trustico further disputes that the keys were compromised.
Zane Lucas, Trustico's general manager, wrote on the Mozilla dev group: "We didn't authorize DigitCert to contact our customers, and we didn't approve the content of their email. At no time had any private keys been compromised, nor had we ever informed to you that any private keys had been compromised."
Given the confusion over whether the keys had been compromised, DigiCert says it decided to revoke the keys on the basis that the information had been sent via email.
"As a CA [certificate authority], we had no choice but to follow baseline requirements," DigiCert writes.
Not Private Anymore
It's unclear how the private keys were compromised.
Typically, issuers of certificates should never hold the private keys. But hosting providers and content delivery networks sometimes do hold the private keys for customers on certain kinds of hosting packages.
Trustico has indicated that the blame for the key situation lies with the long-running trust issues around Symantec. Lucas writes that Trustico felt that the certificates it sold under the Symantec brand name - generated by Symantec's infrastructure - "were at risk."
"We were also a victim whereby Symantec mis-issued SSL certificates owned by us," he writes. "Subsequently, we were asked to keep the matter quiet under a confidentiality notice."
Lucas also writes that Trustico questioned Symantec for more than a year, but the company allegedly "ignored our concerns." Eventually, he writes that Trustico felt it didn't want to have any certificates left on Symantec - now DigiCert's - systems.
But DigiCert says it rejects Trustico's intimation that its request to revoke the 23,000 certificates is related to Google's eventual distrust of all Symantec certificates.
"That is incorrect," DigiCert says in its press release. "We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential updates."
Wow, this Trustico situation is a mess, their future isn't looking bright right now: https://t.co/GbRBLbuACs— Troy Hunt (@troyhunt) February 28, 2018
What To Do
So what should administrators do? It's probably a good idea to replace any Trustico digital certificates as quickly as possible. Although efforts are underway to see if the other 27,000 or so certificates are also compromised, it's probably best to stay on the safe side.